By Gregory Hale
It is difficult to paint a rosy picture of security today, with the hike in sophistication and the broadened attack surface, the answers are not easy, but the reality is there are solutions and manufacturers can win out in the end.
“The systems you are in charge of are under attack,” said Dr. Joel Brenner, MIT/ Internet Policy Research Initiative (IPRI)-CIS during his keynote address Tuesday at the ICSJWG 2017 Fall Meeting in Pittsburgh, PA. “The ability to carry out the attack are not only with nation states, but by well-funded attack groups.”
That means critical sectors need protection, but keeping all the critical areas secure would not be possible.
“There are critical sectors and then there are really critical sectors,” Brenner said, breaking the critical areas into four key sectors. “The four sectors are oil and gas, financial, electricity and communications.”
With the increased direct attacks on targeted companies like the British national healthcare services, Ukraine power grid attacks in December 2015 and in December 2016, and the Shamoon attack against Saudi Aramco and Ras Gas, there are an increasing amount of assaults against critical infrastructure organizations.
Add on top of that the increased connectivity with movement to a more digital environment and the next level after that the Industrial Internet of Things (IIoT), the industry is facing an onslaught of new attacks.
Yes, there are advantages to a more digital manufacturing enterprise, but no one should close their eyes to the dangers.
Brenner pointed out Kaspersky Labs said the percentage of industrial computers under attack grew from over 17 percent in July 2016 to more than 24 percent in December 2016.
Brenner made three security recommendations for manufacturers:
1. Key OT controls must be isolated from public networks if they are to be reasonably secure. Not all networks need to be segregated, only key aspects of OT controls, he said. He admitted there are differences of opinion about appropriate degrees of separation. “Taking control off the Internet does not mean taking it away from digital,” he said. “Not all functions need to be facing the public Internet. Some functions need to be locked up. There are lots of ways to figure out how to isolate.”
2. Governments should support a market for simpler, safer control technology. In this world, complexity is the enemy and malware is easy to insert into the millions of lines of code. In addition, he said, general purpose microchips and general purpose controls are unsuitable for controlling sensitive OT. “If we are going to have simpler controls, there has to be a market for them – and it needs support from governments across the world,” he said.
3. Market incentives must be realigned for cybersecurity. Retirement of legacy systems should be a priority. Brenner said governments should create tax incentives to accelerate the retirement of legacy systems.
When it all comes down to it, he said, “the most difficult cybersecurity challenges are economic and political – not technological.”
The main challenge in doing security research is to quantify network risk, he said. There needs to be more facts and figures and the inability to quantify risk becomes an impediment to security.
“The biggest issue of risk is not the silicon-based element in the computers, it is the carbon-based unit in the chair,” Brenner said.
The industry has been working on security issues for 20 years and Brenner doesn’t feel there has been any real difference in risk.
“We have been facing the consequences of 20 years of wishful thinking,” he said. “Cybersecurity is not getting any better. We have been walking backward on cybersecurity for 20 years. Your security may be better, but we are not more secure. We have got to understand the fundamental problems are political and connected to national will. Now is the time to be clear headed and honest with ourselves on the depth of the problem.”